VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:75
Behavior list
Basic Information
MD5:badcfd2b80abfc50770f46fb90262b78
file type:Rar
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual C# / Basic .NET [Overlay]
Subfile information:KMSAuto Net.exe / d02b35945c18e89dc3bb43bc7f6153be / EXE
readme_ua.txt / 9041af5ee38b10982e2c1f3451e41bed / Unknown
readme_ru.txt / 1c56b3e7ea411f95276d55767b4084c1 / Unknown
readme_bg.txt / 6b71ef0d4817d1732b333df1f6e3c5dc / Unknown
readme_vi.txt / 25fce528c81065cd5309083a0b3f1b5e / Unknown
readme_fr.txt / 59168b67b69b95ddacf6c845fba47d2a / Unknown
readme_es.txt / 38e4ec7368615767bf358be81d95935d / Unknown
readme_en.txt / b76901f293dd7e86a238569ef3e10263 / Unknown
readme_cn.txt / b7c069690d9392e4dcaf0b7ad01a65fe / Unknown
readme_kms.txt / 352709b6aed3902d4399f6615a7a7e70 / Unknown
电脑天空.url / 1996cdffc45f606d819517673a2a7f89 / Unknown
淘猫猫-每天上万款优惠券秒杀,一折限时疯抢!-淘猫猫.url / f793a11c4a11d7db0493c3132e5e0aad / Unknown
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000e74
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000e74
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffd8238, Size = 0x00000004 TargetPID = 0x00000e74
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000e38
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000e38
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000e38
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000ec4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000ec4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004 TargetPID = 0x00000ec4
Behavior description:直接获取CPU时钟
details:EAX = 0x4b5129bf, EDX = 0x00000077
EAX = 0x4b512a0b, EDX = 0x00000077
EAX = 0x4dd8f994, EDX = 0x00000077
EAX = 0x4dd8f9e0, EDX = 0x00000077
Behavior description:获取TickCount值
details:TickCount = 208687, SleepMilliseconds = 60000.
TickCount = 208765, SleepMilliseconds = 60000.
TickCount = 148816, SleepMilliseconds = 20.
TickCount = 148848, SleepMilliseconds = 20.
TickCount = 148879, SleepMilliseconds = 20.
TickCount = 148910, SleepMilliseconds = 20.
TickCount = 148941, SleepMilliseconds = 20.
TickCount = 148973, SleepMilliseconds = 20.
TickCount = 149004, SleepMilliseconds = 20.
TickCount = 149035, SleepMilliseconds = 20.
TickCount = 149066, SleepMilliseconds = 20.
TickCount = 149859, SleepMilliseconds = 500.
TickCount = 149568, SleepMilliseconds = 100.
TickCount = 149678, SleepMilliseconds = 100.
TickCount = 149787, SleepMilliseconds = 100.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = cmd /c md "C:\Users\Administrator\AppData\Local\MSfree Inc"
ImagePath = , CmdLine = C:\Windows\System32\cmd.exe /c echo test>>"C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\KMSAuto Net 2016 v1.5.0 Portable\test.test"
ImagePath = , CmdLine = C:\Windows\System32\cmd.exe /D /c del /F /Q "test.test"
Behavior description:创建进程
details:[0x00000e74]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = cmd /c md "C:\Users\Administrator\AppData\Local\MSfree Inc"
[0x00000e38]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\System32\cmd.exe /c echo test>>"C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\KMSAuto Net 2016 v1.5.0 Portable\test.test"
[0x00000ec4]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\System32\cmd.exe /D /c del /F /Q "test.test"
Behavior description:跨进程写入数据
details:TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000e74
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000e74
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffd8238, Size = 0x00000004 TargetPID = 0x00000e74
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000e38
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000e38
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000e38
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000ec4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000ec4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004 TargetPID = 0x00000ec4
File behavior
Behavior description:创建文件
details:C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Administrator\AppData\Local\MSfree Inc\kmsauto.ini
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\KMSAuto Net 2016 v1.5.0 Portable\test.test
Behavior description:删除文件
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\KMSAuto Net 2016 v1.5.0 Portable\test.test
Behavior description:修改文件内容
details:C:\Users\Administrator\AppData\Local\MSfree Inc\kmsauto.ini ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\KMSAuto Net 2016 v1.5.0 Portable\test.test ---> Offset = 0
Behavior description:查找文件
details:FileName = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\Windows\Microsoft.NET\Framework\\*
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
FileName = C:\Users
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
FileName = C:\Users\Administrator\AppData\Local\Temp
FileName = C:\Users\Administrator\AppData\Local\%temp%
FileName = C:\Users\Administrator
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\KMSAuto Net 2016 v1.5.0 Portable
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\KMSAuto Net 2016 v1.5.0 Portable\KMSAuto Net.exe
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\KMSAuto Net\*
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\GDIPlus\FontCachePath
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:Local\MidiMapper_modLongMessage_RefCnt
Behavior description:创建事件对象
details:EventName = Global\CPFATE_3132_v4.0.30319
EventName = ConsoleEvent-0x00000B1C
Behavior description:打开互斥体
details:Local\MSCTF.Asm.MutexDefault1
Behavior description:窗口信息
details:Pid = 3132, Hwnd=0x40196, Text = Main, ClassName = WindowsForms10.Window.8.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0x501e4, Text = Perform a Validation , ClassName = WindowsForms10.STATIC.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0x501dc, Text = Information, ClassName = WindowsForms10.BUTTON.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0x501e0, Text = Office, ClassName = WindowsForms10.BUTTON.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0x501ec, Text = Save to File, ClassName = WindowsForms10.BUTTON.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0x501e8, Text = Windows, ClassName = WindowsForms10.BUTTON.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0x501ea, Text = = Auto =, ClassName = WindowsForms10.STATIC.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0x40162, Text = Activation, ClassName = WindowsForms10.BUTTON.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0x50176, Text = Activate Windows, ClassName = WindowsForms10.BUTTON.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0xc01ca, Text = Activate Office, ClassName = WindowsForms10.BUTTON.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0x3013c, Text = ===== Host: == Auto Host == Port: 1688 ===== Hello Administrator. Program is ready to work. , ClassName = WindowsForms10.EDIT.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0xb0186, Text = KMSAuto Net 2016 v1.5.0 by Ratiborus, ClassName = WindowsForms10.Window.8.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0xc01fc, Text = KMSAuto Net 2016 Portable by Ratiborus, MSFree Inc. , ClassName = WindowsForms10.EDIT.app.0.141b42a_r14_ad1.
Pid = 3132, Hwnd=0x40136, Text = ReadMe, ClassName = WindowsForms10.Window.8.app.0.141b42a_r14_ad1.
Behavior description:获取TickCount值
details:TickCount = 208687, SleepMilliseconds = 60000.
TickCount = 208765, SleepMilliseconds = 60000.
TickCount = 148816, SleepMilliseconds = 20.
TickCount = 148848, SleepMilliseconds = 20.
TickCount = 148879, SleepMilliseconds = 20.
TickCount = 148910, SleepMilliseconds = 20.
TickCount = 148941, SleepMilliseconds = 20.
TickCount = 148973, SleepMilliseconds = 20.
TickCount = 149004, SleepMilliseconds = 20.
TickCount = 149035, SleepMilliseconds = 20.
TickCount = 149066, SleepMilliseconds = 20.
TickCount = 149859, SleepMilliseconds = 500.
TickCount = 149568, SleepMilliseconds = 100.
TickCount = 149678, SleepMilliseconds = 100.
TickCount = 149787, SleepMilliseconds = 100.
Behavior description:获取光标位置
details:CursorPos = (806,18728), SleepMilliseconds = 60000.
CursorPos = (7099,26761), SleepMilliseconds = 60000.
CursorPos = (19934,15985), SleepMilliseconds = 3000.
CursorPos = (12243,29619), SleepMilliseconds = 3000.
Behavior description:打开事件
details:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
MSFT.VSA.COM.DISABLE.3132
MSFT.VSA.IEC.STATUS.6c736db0
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
Global\SvcctrlStartEvent_A3752DX
DINPUTWINMM
\KernelObjects\MaximumCommitCondition
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 20.
[3]: MilliSeconds = 20.
[4]: MilliSeconds = 20.
[5]: MilliSeconds = 20.
[6]: MilliSeconds = 20.
[7]: MilliSeconds = 20.
[8]: MilliSeconds = 20.
[9]: MilliSeconds = 20.
[10]: MilliSeconds = 20.
Behavior description:隐藏指定窗口
details:[Window,Class] = [Form1,WindowsForms10.Window.8.app.0.141b42a_r14_ad1]
[Window,Class] = [C:\Windows\System32\VBoxService.exe,ConsoleWindowClass]
Behavior description:直接获取CPU时钟
details:EAX = 0x4b5129bf, EDX = 0x00000077
EAX = 0x4b512a0b, EDX = 0x00000077
EAX = 0x4dd8f994, EDX = 0x00000077
EAX = 0x4dd8f9e0, EDX = 0x00000077
Behavior description:导入密钥
details:[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00BE3227, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00470EBC, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00472E1C, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x0047650C, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00476514, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00494F14, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00494FBC, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00495064, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x0049510C, DataLen: 148, Flags: 0x00000000
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号